Target Audience The target audience for this blog post is individuals who have a basic understanding of cybersecurity concepts and terminology and looking to expand their knowledge on adversary emulation. This post delves into the details of adversary emulation with the Caldera framework exploring the benefits it offers. By catering to a beginner to intermediate … Continue reading A Beginner’s Guide to Adversary Emulation with Caldera
NVISO enjoys an excellent working relationship with SANS and has been involved as Instructors and Course Authors for a variety of their courses: For SEC511, Continuous Monitoring and Security Operations, Maxim Deweerdt is a Certified Instructor For SEC575, iOS and Android Application Security Analysis and Penetration Testing, Jeroen Beckers is the Course Author For SEC598, … Continue reading Unlocking the power of Red Teaming: An overview of trainings and certifications
Introduction In the previous post of this series we showed why Brute Ratel C4 (BRC4) isn't able to execute most BOFs that use the de-facto BOF API standard by Cobalt Strike (CS): BRC4 implements their own BOF API which isn't compatible with the CS BOF API. Then we also outlined an approach to solve this … Continue reading Introducing CS2BR pt. II – One tool to port them all
If you know all about CS, BRC4 and BOFs you might want to skip this introduction and get right into the problem statement. You can also jump right to the solution. Introduction When we conduct Red Team assessments at NVISO, we employ a wide variety of proprietary and open source tools. One central component in … Continue reading Introducing CS2BR pt. I – How we enabled Brute Ratel Badgers to run Cobalt Strike BOFs
Update 24/10/202: We have noticed 2 changes since we published this report 3 months ago. The code has been adapted to use registry key “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Personalization” instead of “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Phone” (sample SHA256 ed2f654b5c5e8c05c27457876f3855e51d89c5f946c8aefecca7f110a6276a6e) When the payload is Cobalt Strike, the beacon configuration now contains hostnames for the C2, like r1dark[.]ssndob[.]cn[.]com and r2dark[.]ssndob[.]cn[.]com (all prior CS samples we … Continue reading Analysis of a trojanized jQuery script: GootLoader unleashed
Intro In this blog post we discuss a zero-day topic for finding privilege escalation vulnerabilities discovered by Ahmad Mahfouz. It abuses applications like Software Center, which are typically used in large-scale environments for automated software deployment performed on demand by regular (i.e. unprivileged) users. Since the topic resulted in a possible attack surface across many … Continue reading CVE Farming through Software Center – A group effort to flush out zero-day privilege escalations
